freshness review

duongau · duongau · commit ccc5fcffe69a · 2024-11-12T10:49:08.000-08:00
diff --git a/articles/frontdoor/managed-identity.md b/articles/frontdoor/managed-identity.md
@@ -6,128 +6,129 @@ services: networking
 author: duongau
 ms.service: azure-frontdoor
 ms.topic: conceptual
-ms.date: 12/13/2023
+ms.date: 11/12/2024
 ms.author: duau
 ---
 
 # Use managed identities to access Azure Key Vault certificates
 
-A managed identity generated by Microsoft Entra ID allows your Azure Front Door instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages the identity resource, so you don't have to create or rotate any secrets. For more information about managed identities, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
+Managed identities provided by Microsoft Entra ID enable your Azure Front Door instance to securely access other Microsoft Entra protected resources, such as Azure Key Vault, without the need to manage credentials. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
 
-Once you enable managed identity for Azure Front Door and grant proper permissions to access your Azure Key Vault, Front Door only uses managed identity to access the certificates. If you don't **add the managed identity permission to your Key Vault**, custom certificate autorotation and adding new certificates fails without permissions to Key Vault. If you disable managed identity, Azure Front Door falls back to using the original configured Microsoft Entra App. This solution isn't recommended and will be retired in the future.
+After you enable managed identity for Azure Front Door and granting the necessary permissions to your Azure Key Vault, Front Door will use the managed identity to access certificates. Without these permissions, custom certificate autorotation and adding new certificates fails. If managed identity is disabled, Azure Front Door will revert to using the original configured Microsoft Entra App, which isn't recommended and will be deprecated in the future.
 
-You can grant two types of identities to an Azure Front Door profile:
+Azure Front Door supports two types of managed identities:
 
-* A **system-assigned** identity is tied to your service and is deleted if your service is deleted. The service can have only **one** system-assigned identity.
+* **System-assigned identity**: This identity is tied to your service and is deleted if the service is deleted. Each service can have only one system-assigned identity.
+* **User-assigned identity**: This is a standalone Azure resource that can be assigned to your service. Each service can have multiple user-assigned identities.
 
-* A **user-assigned** identity is a standalone Azure resource that can be assigned to your service. The service can have **multiple** user-assigned identities.
+Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. If a subscription is moved to a different directory, you need to recreate and reconfigure the identity.
 
-Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you need to recreate and reconfigure the identity.
-
-You also have the option to configure Azure Key Vault access using [role-based access control (RBAC)](#role-based-access-control-rbac) or [access policy](#access-policy).
+You can configure Azure Key Vault access using either [role-based access control (RBAC)](#role-based-access-control-rbac) or [access policy](#access-policy).
 
 ## Prerequisites
 
-Before you can set up managed identity for Azure Front Door, you must have an Azure Front Door Standard or Premium profile created. To create a new Front Door profile, see [create an Azure Front Door](create-front-door-portal.md). 
+Before setting up managed identity for Azure Front Door, ensure you have an Azure Front Door Standard or Premium profile. To create a new profile, see [create an Azure Front Door](create-front-door-portal.md).
 
 ## Enable managed identity
 
-1. Go to an existing Azure Front Door profile. Select **Identity** from under *Security* on the left side menu pane.
+1. Navigate to your existing Azure Front Door profile. Select **Identity** under *Security* in the left menu.
 
     :::image type="content" source="./media/managed-identity/overview.png" alt-text="Screenshot of the identity button under settings for a Front Door profile.":::
 
-1. Select either a **System assigned** or a **User assigned** managed identity.
+1. Choose either a **System assigned** or **User assigned** managed identity.
 
-    * **[System assigned](#system-assigned)** - a managed identity is created for the Azure Front Door profile lifecycle and is used to access Azure Key Vault.
+    * **[System assigned](#system-assigned)** - A managed identity tied to the Azure Front Door profile lifecycle, used to access Azure Key Vault.
     
-    * **[User assigned](#user-assigned)** - a standalone managed identity resource is used to authenticate to Azure Key Vault and has its own lifecycle.
+    * **[User assigned](#user-assigned)** - A standalone managed identity resource with its own lifecycle, used to authenticate to Azure Key Vault.
 
     ### System assigned
     
-    1. Toggle the *Status* to **On** and then select **Save**.
+    1. Toggle the *Status* to **On** and select **Save**.
     
         :::image type="content" source="./media/managed-identity/system-assigned.png" alt-text="Screenshot of the system assigned managed identity configuration page.":::
     
-    1. You're prompted with a message to confirm that you would like to create a system managed identity for your Front Door profile. Select **Yes** to confirm.
+    1. Confirm the creation of a system managed identity for your Front Door profile by selecting **Yes** when prompted.
     
         :::image type="content" source="./media/managed-identity/system-assigned-confirm.png" alt-text="Screenshot of the system assigned managed identity confirmation message.":::
     
-    1. Once the system assigned managed identity gets created and registered with Microsoft Entra ID, you can use the **Object (principal) ID** to grant Azure Front Door access to your Azure Key Vault.
+    1. Once created and registered with Microsoft Entra ID, use the **Object (principal) ID** to grant Azure Front Door access to your Azure Key Vault.
     
         :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Microsoft Entra ID.":::
     
     ### User assigned
-    
-    You must already have a user managed identity created. To create a new identity, see [create a user assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
-    
-    1. In the **User assigned** tab, select **+ Add** to add a user assigned managed identity.
-    
-        :::image type="content" source="./media/managed-identity/user-assigned.png" alt-text="Screenshot of the user assigned managed identity configuration page.":::
-    
-    1. Search and select the user assigned manage identity. Then select **Add** to add the user managed identity to the Azure Front Door profile.
-    
-        :::image type="content" source="./media/managed-identity/add-user-managed-identity.png" alt-text="Screenshot of the add user assigned managed identity page.":::
-    
-    1. You see the name of the user assigned managed identity you selected show in the Azure Front Door profile.
-    
-        :::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the add user assigned managed identity added to Front Door profile.":::
-    
+
+    To use a user-assigned managed identity, you must have one already created. For instructions on creating a new identity, see [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
+
+    1. In the **User assigned** tab, select **+ Add** to add a user-assigned managed identity.
+
+        :::image type="content" source="./media/managed-identity/user-assigned.png" alt-text="Screenshot of the user-assigned managed identity configuration page.":::
+
+    1. Search for and select the user-assigned managed identity. Then select **Add** to attach it to the Azure Front Door profile.
+
+        :::image type="content" source="./media/managed-identity/add-user-managed-identity.png" alt-text="Screenshot of the add user-assigned managed identity page.":::
+
+    1. The name of the selected user-assigned managed identity appears in the Azure Front Door profile.
+
+        :::image type="content" source="./media/managed-identity/user-assigned-configured.png" alt-text="Screenshot of the user-assigned managed identity added to the Front Door profile.":::
+
     ---
 
 ## Configure Key Vault access
 
-* [Role-based access control](#role-based-access-control-rbac) - Grant Azure Front Door access to your Azure Key Vault with fine-grained access control with Azure Resource Manager.
-* [Access policy](#access-policy) - Native Azure Key Vault access control to grant Azure Front Door access to your Azure Key Vault.
+You can configure Azure Key Vault access using either of the following methods:
+
+* **[Role-based access control (RBAC)](#role-based-access-control-rbac)** - Provides fine-grained access control using Azure Resource Manager.
+* **[Access policy](#access-policy)** - Uses native Azure Key Vault access control.
 
 For more information, see [Azure role-based access control (Azure RBAC) vs. access policy](/azure/key-vault/general/rbac-access-policy).
 
 ### Role-based access control (RBAC)
 
-1. Navigate to your Azure Key Vault. Select **Access control (IAM)** from under *Settings* and then select **+ Add**. Select **Add role assignment** from the drop-down menu.
+1. Navigate to your Azure Key Vault. Select **Access control (IAM)** from the *Settings* menu, then select **+ Add** and choose **Add role assignment**.
 
     :::image type="content" source="./media/managed-identity/role-based-access-control.png" alt-text="Screenshot of the access control (IAM) page for a Key Vault.":::
 
-1. On the *Add role assignment* page, search for **Key Vault Secret User** in the search box. Then select **Key Vault Secret User** from the search results.
+1. On the *Add role assignment* page, search for **Key Vault Secret User** and select it from the search results.
 
     :::image type="content" source="./media/managed-identity/role-based-access-control-search.png" alt-text="Screenshot of the add role assignment page for a Key Vault.":::
 
-1. Select the **Members** tab and then select **Managed identity**. Select **+ Select members** to add the managed identity to the role assignment.
+1. Go to the **Members** tab, select **Managed identity**, then select **+ Select members**.
 
     :::image type="content" source="./media/managed-identity/role-based-access-control-members.png" alt-text="Screenshot of the members tab for the add role assignment page for a Key Vault.":::
 
-1. Select the *system-assigned* or *user-assigned* managed identity associated to your Azure Front Door and then select **Select** to add the managed identity to the role assignment.
+1. Choose the *system-assigned* or *user-assigned* managed identity associated with your Azure Front Door, then select **Select**.
 
     :::image type="content" source="./media/managed-identity/role-based-access-control-select.png" alt-text="Screenshot of the select members page for the add role assignment page for a Key Vault.":::
 
-1. Select **Review + assign** to set up the role assignment.
+1. Select **Review + assign** to finalize the role assignment.
 
     :::image type="content" source="./media/managed-identity/role-based-access-control-review.png" alt-text="Screenshot of the review and assign page for the add role assignment page for a Key Vault.":::
 
 ### Access policy
 
-1. Navigate to your Azure Key Vault. Select **Access policies** from under *Settings* and then select **+ Create**.
+1. Navigate to your Azure Key Vault. Under *Settings*, select **Access policies** and then select **+ Create**.
 
     :::image type="content" source="./media/managed-identity/access-policies.png" alt-text="Screenshot of the access policies page for a Key Vault.":::
 
-1. On the **Permissions** tab of the *Create an access policy* page, select **List** and **Get** under *Secret permissions*. Then select **Next** to configure the principal tab.
+1. On the *Create an access policy* page, go to the **Permissions** tab. Under *Secret permissions*, select **List** and **Get**. Then select **Next** to proceed to the principal tab.
 
     :::image type="content" source="./media/managed-identity/permissions.png" alt-text="Screenshot of the permissions tab for the Key Vault access policy.":::
 
-1. On the *Principal* tab, paste the **object (principal) ID** if you're using a system managed identity or enter a **name** if you're using a user assigned manged identity. Then select **Review + create** tab. The *Application* tab is skipped since Azure Front Door gets selected for you already.
+1. On the *Principal* tab, enter the **object (principal) ID** for a system-assigned managed identity or the **name** for a user-assigned managed identity. Then select **Review + create**. The *Application* tab is skipped as Azure Front Door is automatically selected.
 
     :::image type="content" source="./media/managed-identity/system-principal.png" alt-text="Screenshot of the principal tab for the Key Vault access policy.":::
 
-1. Review the access policy settings and then select **Create** to set up the access policy.
+1. Review the access policy settings and select **Create** to finalize the access policy.
 
     :::image type="content" source="./media/managed-identity/create.png" alt-text="Screenshot of the review and create tab for the Key Vault access policy.":::
 
 ## Verify access
 
-1. Go to the Azure Front Door profile you enabled managed identity and select **Secrets** from under *Security*.
+1. Go to the Azure Front Door profile where you enabled managed identity and select **Secrets** under *Security*.
 
     :::image type="content" source="./media/managed-identity/secrets.png" alt-text="Screenshot of accessing secrets from under settings of a Front Door profile.":::
 
-1. Confirm **Managed identity** appears under the *Access role* column for the certificate used in Front Door. If you're setting up managed identity for the first time, you need to add a certificate to Front Door to see this column.
+1. Confirm that **Managed identity** appears under the *Access role* column for the certificate used in Front Door. If setting up managed identity for the first time, add a certificate to Front Door to see this column.
 
     :::image type="content" source="./media/managed-identity/confirm-set-up.png" alt-text="Screenshot of Azure Front Door using managed identity to access certificate in Key Vault.":::
 
